From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Chen Yufeng <chenyufeng@iie.ac.cn>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH v2] iwlegacy: Add sanity check for il->stations[] array index
Date: Thu, 11 Sep 2025 16:33:13 +0200 [thread overview]
Message-ID: <20250911143313.GA9823@wp.pl> (raw)
In-Reply-To: <20250911133950.1152-1-chenyufeng@iie.ac.cn>
On Thu, Sep 11, 2025 at 09:39:50PM +0800, Chen Yufeng wrote:
> In the il_process_add_sta_resp function, the index sta_id in
> il->stations[sta_id] is not validated, which may lead to memory
> corruption if the sta_id index is out of bounds.
>
> Fixes: 0cdc21363cc2 ("iwlegacy: merge common .c files")
This tag is most likely not correct one. I don't think we need
one though.
> Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn>
> Reviewed-by: Stanislaw Gruszka <stf_xl@wp.pl>
No, I haven't review the patch.
> ---
> Changes in v2:
> - Add header file commands.h to get IL_STATION_COUNT
> - move the validation of sta_id to il_process_add_sta_resp
>
> drivers/net/wireless/intel/iwlegacy/common.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c
> index b7bd3ec4cc50..2840d0935650 100644
> --- a/drivers/net/wireless/intel/iwlegacy/common.c
> +++ b/drivers/net/wireless/intel/iwlegacy/common.c
> @@ -22,6 +22,7 @@
> #include <net/mac80211.h>
>
> #include "common.h"
> +#include "commands.h"
>
> int
> _il_poll_bit(struct il_priv *il, u32 addr, u32 bits, u32 mask, int timeout)
> @@ -1766,6 +1767,11 @@ il_process_add_sta_resp(struct il_priv *il, struct il_addsta_cmd *addsta,
> IL_ERR("Bad return from C_ADD_STA (0x%08X)\n", pkt->hdr.flags);
> return ret;
> }
> +
> + if (sta_id >= IL_STATION_COUNT) {
> + IL_ERR(il, "invalid sta_id %u", sta_id);
Again, compile test your patches!
Regards
Stanislaw
> + return -EINVAL;
> + }
>
> D_INFO("Processing response for adding station %u\n", sta_id);
>
> --
> 2.34.1
>
prev parent reply other threads:[~2025-09-11 14:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-11 13:39 [PATCH v2] iwlegacy: Add sanity check for il->stations[] array index Chen Yufeng
2025-09-11 14:19 ` Johannes Berg
2025-09-11 14:33 ` Stanislaw Gruszka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250911143313.GA9823@wp.pl \
--to=stf_xl@wp.pl \
--cc=chenyufeng@iie.ac.cn \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.